This is great news. Not only are they standards compliant and do not require a separate app, but also, considering that Microsoft offers only weak passwords across their entire line of services, at least some of their users can now keep their accounts secure. There are still good people working at Microsoft. *happy tear*

Edit: Since everybody is too lazy to use Google, here's a reply to the highly upvoted question. Perhaps this will clear up some misconceptions.

Right, you did and then they were automatically cut down to 12 characters (or something along those lines) regardless of what you've entered. That's how it was handled in Hotmail. With Outlook, they set a slightly higher limit for maximum password length instead of just obscuring it, but this generally still implies that passwords aren't being hashed, which in return means that they can be checked via a rainbow table. This is all fairly well-documented.

Silly Google, if they had only patented it they could have pulled an Apple on MS and made away with millions in licensing fees.

Oh well, next time... *evil grin*

RSA did invent/patent such a system. But, for many ises, it is too expensive and complicated to manage. It works in controlled coprorate environments but would not work for Google, Microsoft, Amazon, and such. RSA is not evil.

So, how would I go about linking my Google Authenticator to my Microsoft account? (To be fair, I don't really ever use my Microsoft account)

Misread this. Instructions are actually for using MS authenticator to access google services...

Just go into two-factor auth settings under security settings in gmail. There's mention of using an authenticator app. Select iphone (even though you have a wp) since there's no WP option. It'll show you a QR code.

On the app side, add an account, enter the name, and then scan the QR code from the app. Back on the google site you'll need to enter the code on your authenticator screen. That's it.

So, how would I go about linking my Google Authenticator to my Microsoft account? (To be fair, I don't really ever use my Microsoft account)

If you are using the iOS Google Authenticator app, I'm guessing once Microsoft turn on the system they'll display a QR code containing the authentication info and in the iOS app you need to click the little (+) sign and scan the QR code. Thats it.

I've built our work VPN code using the same technology and the RADIUS server from RCDevs.com

As an aside, Paypal two factor authentification can be bypassed if you have a credit card number that matches the one on file. If they have your email password and a card number, your are pwnd.

I really don't like text messaging as the delivery means. Texting can be hacked as well. The RSA code generator is the way to go IF the system is set up to always use one. In the case of paypal, they have terrible practices, bypassing the RSA code generator on password resets.

This is great news. Not only are they standards compliant and do not require a separate app, but also, considering that Microsoft offers only weak passwords across their entire line of services, at least some of their users can now keep their accounts secure. There are still good people working at Microsoft. *happy tear*

As an aside, Paypal two factor authentification can be bypassed if you have a credit card number that matches the one on file. If they have your email password and a card number, your are pwnd.

I really don't like text messaging as the delivery means. Texting can be hacked as well. The RSA code generator is the way to go IF the system is set up to always use one. In the case of paypal, they have terrible practices, bypassing the RSA code generator on password resets.

I'm not clear how hacking text messaging would thwart 2-factor here? Are you suggesting a hacker could intercept a text intended for you?

I've been looking at DuoSecurity, their two factor system is based on pushing you a code (SMS or otherwise) when you try to login. This seems much faster/easier than GA Authenticator.

Side note it seems silly/wrong to call this real two-factor auth when I'm logging into gmail on my phone and it prompts me for my auth code, which I get by switch apps on my phone to copy/paste... Better yes, but two factor really should mean something separate like an RSA key fob.

Microsoft truncates all MS Account passwords at sixteen characters. Not that a reasonably complex (I.e. non-dictionary-word) sixteen character password wouldn't still take years to brute force, but still.

This. This is what can be accomplished when two companies use standards-compliant technologies. Microsoft doesn't have to maintain a special Android app, nor does Google have to maintain a Windows Phone app. It makes life easier for the companies, and for users who don't have to juggle 3-4 different apps. I hope that Apple, Facebook, and others may also adopt such a method, so that 1 app may work to authenticate many platforms.

Microsoft truncates all MS Account passwords at sixteen characters. Not that a reasonably complex (I.e. non-dictionary-word) sixteen character password wouldn't still take years to brute force, but still.

Those bastards. Only allowing 16 character alpha/numeric/special char passwords? What are they thinking? Oh yeah I remember, they are thinking that no one uses passwords over 16 characters. That's what they are thinking. If you can't come up with something complex enough with 16 characters, then you are way to paranoid to even be plugged into the internet.

Microsoft truncates all MS Account passwords at sixteen characters. Not that a reasonably complex (I.e. non-dictionary-word) sixteen character password wouldn't still take years to brute force, but still.

Those bastards. Only allowing 16 character alpha/numeric/special char passwords? What are they thinking? Oh yeah I remember, they are thinking that no one uses passwords over 16 characters. That's what they are thinking. If you can't come up with something complex enough with 16 characters, then you are way to paranoid to even be plugged into the internet.

Some people understand that pass phrases are easier to remember and harder to break than some 16-character mess of alpha/numeric/special chars.

Not that long ago, Microsoft's tangle of various decrepit online products and services was an ugly joke with multiple identity systems and rickety portals with outdated principles and limited compatibility. In a very short period of time, they have breathed fresh life into their services, especially Office365 and Outlook-née-Hotmail. Now with things like two-factor authentication, they've caught up and are keeping up, and they're once again rubbing elbows with market leaders and actually competitive outside their own world. I'm glad to see it. I'd love a world in which the thought of working with a Microsoft product didn't elicit groans.

Microsoft truncates all MS Account passwords at sixteen characters. Not that a reasonably complex (I.e. non-dictionary-word) sixteen character password wouldn't still take years to brute force, but still.

Those bastards. Only allowing 16 character alpha/numeric/special char passwords? What are they thinking? Oh yeah I remember, they are thinking that no one uses passwords over 16 characters. That's what they are thinking. If you can't come up with something complex enough with 16 characters, then you are way to paranoid to even be plugged into the internet.

There are those of us that use password management tools like 1password or LastPass and like to have the app generate 16+ character passwords. I wouldn't say that's being particularly paranoid.

This is great news. Not only are they standards compliant and do not require a separate app, but also, considering that Microsoft offers only weak passwords across their entire line of services, at least some of their users can now keep their accounts secure. There are still good people working at Microsoft. *happy tear*

What do you mean by "Microsoft only offers "weak" passwords..." exactly?

Because my Microsoft Account isn't weak by any stretch of any imagination. I guarantee that NOBODY will EVER get into my account based on the password I have currently.

There is also the added benefit that if anyone does figure out my password i have to approve their access through a SMS code.

Microsoft truncates all MS Account passwords at sixteen characters. Not that a reasonably complex (I.e. non-dictionary-word) sixteen character password wouldn't still take years to brute force, but still.

Microsoft truncates all MS Account passwords at sixteen characters. Not that a reasonably complex (I.e. non-dictionary-word) sixteen character password wouldn't still take years to brute force, but still.

Those bastards. Only allowing 16 character alpha/numeric/special char passwords? What are they thinking? Oh yeah I remember, they are thinking that no one uses passwords over 16 characters. That's what they are thinking. If you can't come up with something complex enough with 16 characters, then you are way to paranoid to even be plugged into the internet.

If they hack your email account, they can reset just about any password you've got just by clicking 'forgot my password'. It's the keys to the kingdom really. I'm paranoid, yes, but for my email account that's hooked up to all my bank/brokerage accounts, I want 25+ characters of jibberish and 2 factor authentication. Password managers can manage the hassle for you.

Microsoft truncates all MS Account passwords at sixteen characters. Not that a reasonably complex (I.e. non-dictionary-word) sixteen character password wouldn't still take years to brute force, but still.

Please cite your source.

Google it, there's plenty of references. Or, find out like I did by trying to use a longer one. They helpfully truncate it for you (silently) if you enter one longer. I didn't notice for awhile because the website login does the same. Took me forever to figure out why my password wouldn't work from a mail client.

As an aside, Paypal two factor authentification can be bypassed if you have a credit card number that matches the one on file. If they have your email password and a card number, your are pwnd.

I really don't like text messaging as the delivery means. Texting can be hacked as well. The RSA code generator is the way to go IF the system is set up to always use one. In the case of paypal, they have terrible practices, bypassing the RSA code generator on password resets.

I'm not clear how hacking text messaging would thwart 2-factor here? Are you suggesting a hacker could intercept a text intended for you?

I've been looking at DuoSecurity, their two factor system is based on pushing you a code (SMS or otherwise) when you try to login. This seems much faster/easier than GA Authenticator.

Side note it seems silly/wrong to call this real two-factor auth when I'm logging into gmail on my phone and it prompts me for my auth code, which I get by switch apps on my phone to copy/paste... Better yes, but two factor really should mean something separate like an RSA key fob.

Text messages are not encrypted.to the best of my knowledge. They use the "voice" channel on GSM, but not the crypto.. I don't know how it is handled on CDMA. You may recall Twitter open sourcing their Text Secure program to give texting some privacy, but this needs to be endpoint to endpoint. The other problem is every time they add a new cell phone standard or band, the old service monitors go on ebay. When they wrote the EPCA, it was never envisioned that private citizens would own service monitors. They were so freaking expensive. A service monitor hears everything. The EPCA dates back to 1986. Ebay didn't even exist.

As an aside, Paypal two factor authentification can be bypassed if you have a credit card number that matches the one on file. If they have your email password and a card number, your are pwnd.

I really don't like text messaging as the delivery means. Texting can be hacked as well. The RSA code generator is the way to go IF the system is set up to always use one. In the case of paypal, they have terrible practices, bypassing the RSA code generator on password resets.

I'm not clear how hacking text messaging would thwart 2-factor here? Are you suggesting a hacker could intercept a text intended for you?

I've been looking at DuoSecurity, their two factor system is based on pushing you a code (SMS or otherwise) when you try to login. This seems much faster/easier than GA Authenticator.

Side note it seems silly/wrong to call this real two-factor auth when I'm logging into gmail on my phone and it prompts me for my auth code, which I get by switch apps on my phone to copy/paste... Better yes, but two factor really should mean something separate like an RSA key fob.

Text messages are not encrypted.to the best of my knowledge. They use the "voice" channel on GSM, but not the crypto.. I don't know how it is handled on CDMA. You may recall Twitter open sourcing their Text Secure program to give texting some privacy, but this needs to be endpoint to endpoint. The other problem is every time they add a new cell phone standard or band, the old service monitors go on ebay. When they wrote the EPCA, it was never envisioned that private citizens would own service monitors. They were so freaking expensive. A service monitor hears everything. The EPCA dates back to 1986. Ebay didn't even exist.

I block texting due to the "silent ping".

Actually I believe most of the modern cell traffic is much more difficult to "listen in to" on the fly.

Microsoft truncates all MS Account passwords at sixteen characters. Not that a reasonably complex (I.e. non-dictionary-word) sixteen character password wouldn't still take years to brute force, but still.

Those bastards. Only allowing 16 character alpha/numeric/special char passwords? What are they thinking? Oh yeah I remember, they are thinking that no one uses passwords over 16 characters. That's what they are thinking. If you can't come up with something complex enough with 16 characters, then you are way to paranoid to even be plugged into the internet.

There are those of us that use password management tools like 1password or LastPass and like to have the app generate 16+ character passwords. I wouldn't say that's being particularly paranoid.

Microsoft truncates all MS Account passwords at sixteen characters. Not that a reasonably complex (I.e. non-dictionary-word) sixteen character password wouldn't still take years to brute force, but still.

Those bastards. Only allowing 16 character alpha/numeric/special char passwords? What are they thinking? Oh yeah I remember, they are thinking that no one uses passwords over 16 characters. That's what they are thinking. If you can't come up with something complex enough with 16 characters, then you are way to paranoid to even be plugged into the internet.

Some people understand that pass phrases are easier to remember and harder to break than some 16-character mess of alpha/numeric/special chars.